Listen to this Post
The vulnerability stems from an unauthenticated endpoint within the AVideo API plugin. Specifically, the file `plugin/API/get.json.php` is accessible without any authentication checks. This endpoint exposes a function named `decryptString` defined in `plugin/API/API.php` at lines 5945–5966. An attacker can submit arbitrary ciphertext to this endpoint and receive the corresponding plaintext in response. The critical aspect is that the application itself publicly leaks legitimate ciphertext. The `view/url2Embed.json.php` endpoint returns encrypted values (such as `playLink` or playEmbedLink) generated by `encryptString(json_encode(…))` to any unauthenticated caller. By taking this publicly exposed ciphertext and submitting it to the unauthenticated `decryptString` endpoint, an attacker can decrypt sensitive tokens or metadata that were intended to remain protected. This effectively creates an oracle that allows any user to decrypt any ciphertext generated by the application, bypassing all intended access controls. The impact is rated as High because it can lead to the disclosure of sensitive configuration details, token theft, and unauthorized access to protected video streams or administrative functions that rely on the secrecy of these encrypted strings.
Platform: AVideo
Version: Affected versions
Vulnerability: Unauthenticated decrypt oracle
Severity: High
date: 2026-03-20
Prediction: 2026-04-03
What Undercode Say:
Simulate retrieving a leaked ciphertext curl -s "https://target.com/view/url2Embed.json.php?video_id=1" | jq -r '.playLink' Exploit the decrypt oracle curl -X POST "https://target.com/plugin/API/get.json.php" \ -d "action=decryptString" \ -d "ciphertext=BASE64_CIPHER_HERE"
Exploit:
An attacker captures a ciphertext from any public endpoint (e.g., url2Embed.json.php) and sends it to the `get.json.php?action=decryptString` endpoint. The server returns the decrypted plaintext, revealing tokens, internal paths, or metadata.
Protection from this CVE
Apply patch from GitHub advisory. Restrict access to `plugin/API/get.json.php` using authentication middleware. Remove or disable the `decryptString` endpoint if not required.
Impact:
Exposure of encrypted tokens leading to unauthorized video access, privilege escalation, and potential compromise of administrative functionality.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

